Large corporations, public entities, individuals, SMMEs – virtually anyone can be the target of skilled and professional hackers and cybercriminals, which is why building a strong culture of cyber awareness should be top of mind for SA business leaders,  says Ryan Mer, CEO at eftsure Africa,  a Know Your Payee (KYP) platform provider. 

As more companies recognise the importance of taking measures to protect themselves and their customers by installing sophisticated malware detection systems, and utilising the services of cyber security experts, they may not be assisting their internal stakeholders who are the custodians of much of their data, otherwise known as employees, to safeguard themselves against attack.

Companies frequently organise wellness days for physical and mental health awareness, or team building and feel-good events, but few, if any, take steps to teach safe and healthy digital practices.

Setting an example from the top of the company down is the best place to start instilling good ‘digital hygiene’ at every level of a company’s structure.

With the advent of remote working, and load shedding that has forced many people to seek connectivity in coffee shops, internet cafes and on other public networks, our cell phones, laptops, and tablets are even more exposed.

The first step in leading from the top is being a pioneer of cyber security measures and consistently communicating these to staff through customised education and training. 

It’s equally important to appreciate that there’s a technical component to cyber awareness that can present a learning curve for some staff members.

This makes having robust, automated systems that serve as an extra check and balance critical for businesses today, especially those in the SME sector, who will have a much harder time recovering from the financial consequences following a security breach or act of fraud.

Training in identifying suspect emails and dodgy attachments is also useful for staff, who may easily be convinced to proceed with actioning a payment request from the CFO or open a proof of payment document from an unknown vendor. Most of us know that revealing a PIN number or One Time PIN is a complete no-no.

But it bears repeating that there isn’t a reputable company anywhere that will call and ask you to disclose this information, so helping employees to understand the consequences of gullibility can also go a long way in preventing a cyber-disaster. Cyber threats are often thought of alongside images of a lone hacker in a hoodie, but because cyber criminals are financially motivated, they run their operations like a business and can be very persuasive when targeting victims.

Payment fraud is amongst the most common weaknesses in companies and occurs when invoice payments and salary runs are being processed. A platform like eftsure can mitigate the risks of such fraud, by automatically verifying and re-checking the integrity of the payment details of every company payment prior to payment release.

Real-time prevention is the first line in a company’s defence against fraud and can avert loss of funds, lengthy system shutdowns, forensic investigations and other costly remediation measures after a security breach has been detected.

Most internal IT departments can teach your staff preventative measures to avoid cyberattacks, but whether you use in-house resources or outsource to experts in the cyber security field, it is important that your company first and foremost takes steps to protect itself.

By demonstrating that you take everyone’s cyber safety seriously – both inside and outside the organisation – you will be showing responsible leadership and awareness that modern-day threats pose to the stability of your enterprise.

Ryan Mer, CEO at eftsure Africa, a Know Your Payee (KYP) platform provider, says the most common thread in cases of payment fraud is the human element which can involve sophisticated fraudsters or unscrupulous employees.

In either case, strengthening processes and protocols can mean the difference between being an easy target and stopping payment fraud in its tracks.

Scenario 1: The external risk of a walk-in criminal

A client wants to sell their car. They present their ID document, ownership papers, and bank details.

What the dealership doesn’t know is that the customer is using a stolen or defrauded ID document and isn’t even the legitimate owner of the vehicle. Because the customer presents what looks like credible documentation, the dealership pays the ‘customer’ either in part or in full for their vehicle without realising they have been dealing with a criminal. 

Why it happens: Car papers match the falsified ID document and there is nothing suggesting this is not the legitimate registered owner of vehicle.

In their haste to close the deal and get some desired second hand stock as quickly as possible and avoid inconveniencing the customer, motor dealership employees rush or skip the necessary verification checks which sometimes requires confirmation from various other third parties within the onboarding and payment process.

How it could’ve been prevented: An effective KYP solution would have flagged a mismatch between the client’s stated name and bank account number to prevent the transaction taking place and alerting to the need for caution and additional investigation.

A fully digitised workflow management tool would also ensure a full audit trail for each step in the process to assist employees in following the right procedures for every transaction while increasing efficiencies by automating key verifications in a matter of seconds to guarantee details aren’t compromised prior to releasing payment.

Scenario 2: The internal risk of a corrupt employee

A long-term employee in the accounts department of a respected dealership is defrauding their employer by creating various fake suppliers with their own personal banking details, and that of a friend and relative.

The employee then adds these fictitious payments to a payment batch each month without those responsible for releasing payments even realising.

How it could’ve been prevented:

A trusted eft payment verification platform could have prevented this situation by flagging a mismatch between the ‘supplier’s’ name (in this case the employee’s friend) and their bank account number.

An effective solution would prevent such an incident from occurring in the future as supplier details and bank accounts would be audited, verified and approved at the onboarding point in the process. 

People combined with technology and sound business processes are at the frontline of fighting fraud and mitigating risk.

Considering the potentially devastating financial and reputational harm from payment fraud, implementing KYP technology is an urgent need in the digital transformation for all businesses today and motor dealerships are definitely not exempt from this.

This rapid shift to digital, which is providing necessary solutions during a time of crisis, is fuelling a surge in payments fraud worldwide.

And the threat to companies isn’t only coming from the outside; internal fraud in departments responsible for supplier payments is on the rise, especially with staff working remotely.

Ryan Mer, CEO at eftsure Africa, a Know Your Payee (KYP) platform provider says that while the amount of business transactions taking place online is constantly growing and remote working has become standard, business controls have not kept pace with digital transformation.

His comments on Payments Fraud:

“Companies need to beef up their cybersecurity and anti-fraud solutions. While implementing internal controls takes time, it is imperative that strict controls are in place to mitigate opportunistic as well as organised fraudulent activities.”, says Mer.

From advanced digital security to straight-forward invoice numbers, here are five ways to make your Accounts Payable department the best it can be.

Always use invoice numbers

Often, simple tools are very effective, and invoice numbers are no exception. In fact, invoice numbers should be essential for both your Accounts Payable team and your suppliers.

This not only helps everyone involved to quickly identify which invoices have been paid and which remain outstanding, but it also helps avoid duplicate payments.

Ideally, your Accounts Payable team should use the invoice number as reference when making a payment, otherwise suppliers will find it almost impossible to track their incoming payments – and query it with your team or issue duplicate invoices.

Make sure your team follows a system to standardise invoice numbers from different suppliers, such as encoding leading zeros, using uppercase or lowercase letters, and adding or removing spaces.

Embrace technology

Even your most trusted team members will likely make a mistake at some point, as they’re only human. Automate as many manual procedures as you can to minimise human error in your systems.

A good web interface also saves time. A KPMG study, commissioned in  Australia, showed that eftsure’s web interface, can save a business 29 minutes every time they add or change a supplier and 59 seconds each time they check a single payment. Such savings become very significant over time.

Don’t compromise on security

Financial institutions don’t match business names with account numbers, and fraudsters exploit this at every opportunity.

It’s essential that your Accounts Payable team has measures in place to verify account names with numbers. Furthermore, ensure that your Accounts Payable web interface has security measures to mitigate fraud and other digital threats.

And never compromise on security when it comes to your enterprise resource planning (ERP) system. One popular ERP system had to issue a warning earlier this year after there had been 300 successful exploit attempts on its systems in the preceding six months. Make sure your ERP system is not leaving you exposed to a dangerous security breach.

Keep receiving on track

Have electronic record keeping systems in place so that your Receiving Department can keep track of any physical goods that have been purchased by the organisation – whether large amounts of stock or a small pack of pens for the office.

Then, streamline all communications between Accounts Payable and your Receiving Department – and monitor that this communication remains continuous.

If receiving records are logged in your ERP system, it’s a simple case of checking which items were requisitioned according to the purchase order, facilitating three-way matching so that the Accounts Payable team knows that an invoice is legitimate and accurate.

Ensure strategic alignment between Accounts Payable (AP) and Procurement departments with approval processes in place. Any new supplier onboarding, whether recurring or once off, should require an approval process when being onboarded. Although Procurement is often responsible for the onboarding of new suppliers, there needs to be an oversight between Procurement and AP.

It is important for the AP department to be involved in the approval process of new suppliers and to have real time access to supplier data. By doing this, processes are tightened and the loading of fictitious suppliers can be prevented.

Segregate duties

One of the most important and effective internal controls in Accounts Payable is to ensure that different people are responsible for completing different components of a task. No single individual should have the responsibility of completing an entire task.

Not segregating duties could compound losses caused by errors, as busy staff members can easily make data entry errors. Segregation of duties will allow your team to identify most errors before a payment is made.

Even more concerning than human error, is the risk of internal fraud. Ask any auditor and they’ll tell you that segregating duties is the most effective way to manage the risks associated with both human error and internal fraud.

“Following these easy steps in your Accounts Payable department, will allow for efficiency, streamlined processes and prevent fraud from impacting your bottom line,” concludes Mer.